An Eclectic Mind

Will it ever end?

I need to start by mentioning that I have so much spam protection set up for my e-mail accounts that I get a total of less than 30 unsolicited e-mail messages a day — on 10 e-mail accounts. I think that’s pretty damn good, considering what’s going on out there.

Yet today, I got TWO scam messages before I started my day’s work. I want to take a moment to mention them because I want to help educate people about how scammers are trying to separate unsuspecting people from their money.

I’ll pay you $8000 with my credit card and you give me $4,820 in cash.

The first was a repeat of a scam that I first experienced in May 2007. I wrote about it here. This is a twist on the old scam where you’re selling something and a buyer wants to use a certified check to overpay you and get the excess cash to “an agent” for some other purpose. In my case, what I was selling was helicopter tour services. The “client” was from Germany, planning a vacation in the area, and wanted to prepay for tours around the area for his family. The first time I saw this scam, I got sucked in a bit — until the prepay part, which included money forwarded to a “logistic agent.” Alarm bells went off. You can read all the messages and my accompanying thoughts in the post I linked to above. I highly recommend this post for anyone selling any high-ticket items — goods or services — on the Web.

Today’s message sounded familiar when I read it. A search through my blog using the word “scam” brought it up to refresh my memory. A comparison between today’s e-mail message and the May 2007 message resulted in many identical words and phrases — even the 95-lb weight of the 16-year-old son.

I replied with a link to the post, using TinyURL to mask the URL:

You might want to read the following for more information about how we handle reservations like this:

http://tinyurl.com/5tcryd

Busted!

For security reasons we have sent you this message as an attachment file.

If that doesn’t send off bells and whistles, you deserve to be scammed. The e-mail message in question was supposedly from Barclay’s Bank. I don’t have an account there, so there was no chance that I was going to open the attachment.

The attachment was an innocent-looking HTML file. It could have contained any kind of malicious code or links to a site that would install malware. It could have simply prompted me to enter my Barclay’s account information, which it would then forward to the scammers so they could suck money out of my account.

This might seem simple to everyone — don’t open an attachment. But if you have a Barclay’s account, and the message says the attachment is part of a new security program, and you’re gullible, you might just open it.

Don’t. Open. Any. Attachments. In. Messages. Unless. You. Know. They’re. Safe.

Days in My Life advice, e-mail, fraud

Don’t fall for it!

Here’s the one I’ve been getting for the past two days. I’ve gotten three of these so far. If you get a message like this, do NOT click the link. It’s just another phishing scheme:

Dear Customer,

You are invited to take part in our nation-wide 5 question survey. Your time is very important to us
so $50 will be credited to your account upon the completion of this survey.

Please note that no sensitive information will be required, collected or stored. The information will
be used to further improve our services

To take part please click here

© 2008 JPMorgan Chase & Co.

The clues:

• Addressed to a generic Dear Customer.
• Typos, misspellings, bad punctuation.
• Do you even have an account with JP Morgan Chase & Co.?
• Do you really think anyone would pay $50 for you to take a survey?

Don’t be a sucker! Don’t click any link in an e-mail message!

Call Me a Geek fraud, Internet

Don’t get fooled.

Today I got an e-mail message from American Express. It said, in part:

During our regualry scheduled accounts maintenance and verification procedures,
we have detected a slight error regarding your American Express Account.

This might be due to one of the following reasons:

1. A recent change in your personal information (i.e. address changing)
2. Submitting invalid information during the initial sign up process.
4. Multiple failed logins in your personal account.
3. An inabillity to accurately verify your selected option of payment due to an internal error within our system.

Please update and verify your information by clicking the following link:

Continue To American Express Online Update Form

*If you account information is not updated within 48 hours then your ability to access your account will be restricted.

Thank you,
American Express , Billing Department.

The type was tiny, which is probably why I didn’t notice the typos and spelling/grammar mistakes. Or perhaps I didn’t notice them because I’ve become so accustomed to skimming incoming mail rather than reading it.

The message looked official. It had the Amex logo and used their normal color schemes. But what really made it look genuine was the note near the bottom:

E-mail intended for your account.

If you are concerned about the authenticity of this message, please click here or call the phone number on the back of your credit card. If you would like to learn more about e-mail security or want to report a suspicious e-mail, click here

Note: If you are concerned about clicking links in this e-mail, the American Express mentioned above can be accessed by typing https://www.americanexpress.com directly into your browser.

The hint that this wasn’t as legitimate as it seemed came when I pointed to the link to supposedly update my account information. The URL that appeared in a yellow box in my e-mail client consisted of an IP address followed by /home.americanexpress.com/.

Of course, the e-mail message wasn’t real. When I typed http://www.americanexpress.com/ into my Web browser and logged into my account, there was no indication of any problem.

Phishing, Defined

Wikipedia, everyone’s favorite online encyclopedia, defines phishing as:

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites (Youtube, Facebook, Myspace), auction sites (eBay), online banks (Wells Fargo, Bank of America, Chase), online payment processors (PayPal), or IT Administrators (Yahoo, ISPs, corporate) are commonly used to lure the unsuspecting. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose URL and look and feel are almost identical to the legitimate one.

My spam protection software is very good at weeding out phishing attempt messages, so I rarely see them. This one almost fooled me. If I’d been suckered in like so many probably were today, I would have clicked the link and entered my American Express login information in the screen that appeared. That information would have been captured in the phishing net and used to access my American Express account online.

It Isn’t PayPal

One of the Web sites I maintain is for a friend of mine who makes and sells helicopter ground handling wheels: HelicopterWheels.com. He’s an older guy who’s only been using computers for a few years. When I set up the original site, he asked me to set up online ordering. I’ll be the first to admit that I know little about setting up ecommerce solutions. So I set him up with the easiest and most secure method of accepting payments that I knew: PayPal.

Now PayPal has a bad reputation with some folks and I’m really not interested in hearing reader complaints about it. I use PayPal for my online ordering needs and although it isn’t a perfect solution, it does work and it seems safe enough to me.

Unfortunately, my friend received an e-mail message telling him that he had to verify some PayPal settings. The message was a phishing scam and my friend fell for it. He got hit for a bunch of money — which I’m not sure if he recovered. He immediately blamed PayPal and had me take the Buy Now buttons off his site.

I felt bad for him. After all, I’d recommended PayPal. But I’m also not the kind of person who gets sucked in by phishing schemes. I assumed he wasn’t either. I was wrong.

Don’t Get Caught

So here’s the only rule you need to prevent yourself from becoming the victim of a phishing scam:

Never click a link in any e-mail message.

If you get a message from your bank or credit card company or PayPal or any other service that requires you to enter a user ID and password to access it, do not click any link in that message. Instead, go directly to the site by typing the URL into your browser’s Address bar or using a Bookmark/Favorite that you’ve already set up. If there is a legitimate problem with your account that requires your attention, you’ll find out after logging in the safe way.

Of course, there are plenty of clues that can help you identify phishing attempts:

• Messages not addressed to your name. For example, Dear Cardholder instead of Dear Maria Langer.
• Typographical, spelling, and grammar errors in the e-mail message. Do you think American Express would spell regularly wrong?
• Messages sent to an e-mail address that you did not register with the organization supposedly sending the e-mail message to you. For example, the message I got today was sent to my Flying M Air e-mail account, which is not on file with American Express.
• URLs that point to IP addresses rather than recognizable domain names. For example, http://35.32.185.43/account rather than http://www.americanexpress.com/account.

But you don’t have to worry about any of this. Just follow the golden rule listed above. Here it is again, in case you’ve forgotten: Never click a link in any e-mail message.

If you follow this rule, you should stay safe from phishing schemes.

Got a story to share? Use the Comments link or form for this post to speak your piece.

Call Me a Geek computers, credit, fraud, spam, Wikiedia

Another foreigner attempts to separate me from large sums of money.

It’s unfortunate but true that the Internet is being used by con artists. Here’s my most recent experience.

The Hook

It started with a query using the form on the Flying M Air web site:

My name is [omitted], I want to book for an Helicopter /flight charter for my family because,during our stays in your your state,we will be going on tours around the town.

These are information for our Booking,
Preferred Date of Tour: 10th,11th,12th, and 13th July 2007 (4days)
Time: 1hr in a day.
Passengers: 4
1. MR. MR. [omitted] ——-weigh 130pounds
2.MRS [omitted]{My Wife} weigh 120pounds
3.[omitted] 16 yrs}weigh 95pounds
4.[omitted] 13yrs } 80pounds
Mode of Payment: Credit Card(Visa Card).

I want you to give me the total expensis for the 4days tour at 1hr per day.
I hope that you accept credit card payment.

It looked legitimate enough. The English was dismal, but that’s to be expected from someone whose first language isn’t English.

I didn’t read the message very closely because my helicopter seats only 3 passengers so I couldn’t accommodate his party. (If I had read closely, I would have wondered a bit about his 16-year old son weighing only 95 lbs.)

I replied as follows:

Unfortunately, we can take a maximum of only 3 passengers. You can try the following other companies, which both have larger helicopters:

Gold Coast: 623-935-3388
WestCor: 480-991-6558

If you call either one, please tell them Maria sent you.

Good luck!

I figured that would be the end of our exchange. But I was wrong. The next day, I got this message:

I want you to indicate the price for the 3 pers. one of us will be staying back each day.

This was a bit weird, almost as if he was willing to leave a member of his family behind just to use my services. But I reasoned it out. He may have contacted the other companies (or planned to) and wanted to work up pricing to be better informed about his options.

I replied:

For flights out of the Phoenix area, our rate is $795 for the first hour and $450 for each additional hour that same day. That covers up to three people with a maximum passenger weight of 650 pounds (290 kilos). There is a one hour minimum flight time for all flights out of the Phoenix area. The Phoenix area includes departures from Scottsdale, Deer Valley, Glendale, and Sky Harbor Airports.

We can fly throughout the Phoenix area and to places like the Grand Canyon, Sedona, etc. We cannot fly OVER the Grand Canyon — we do not have a permit to do that — but we can make arrangements with a company at the Grand Canyon for you to do that flight if you like. Prices start at about $175/person for canyon overflights. There are also a few restricted areas within Arizona where we can’t fly, mostly to the south.

We need at least 48 hours advance notice for all flights booked during the summer months. We accept payment by cash, MasterCard, or Visa, but we must have a credit card deposit to book flights.

If you have any other questions, please don’t hesitate to ask.

The Line

His response came almost immediately:

Thanks for your kind response, i would like to inform you that i have concluded arrangement with hotel/logistic agent that will book hotel and other take care of other service that will be requested from my family during the stay in the state.

I will send you credit card to deduct the total charges of your service and my logistic agent, because i don’t want to share the details with a third party,beside the agent runs a private and does not have a credit card facilities to runs his full payment.

So once you are in receipt of credit card,you will charge the amount of ($8000) then you deduct the cost of your service ($3180(for four days) and send the balance of ($4820) to my logistic agent whose information will be forwarded to you once you charge the credit card.

I am also aware that there will be charges for the credit card, i want you to mention the figure so that i will include it on the total amount that will be charged from my credit card.

I want you to confirm this and get back to me with your name, mobile number and address for my personal documentation.

The alarm bells went off in my head. Back in 2004, when I sold my old helicopter, someone had tried a similar scam. They’d offer to pay you more than they owed you for an item you had for sale (in my case, an R22 helicopter listed for $110,000) using a certified check. The additional amount was to be forwarded in cash to an “agent” somewhere in the U.S. (In my case, it was $12,000 for shipping fees.) Once the agent had the money, the check would somehow bounce and you’d be out the extra cash. Of course, all correspondence would be via e-mail and fax. I’m not quite sure how the cash was to be handed over because it never got that far.

In my case, I insisted on using an escrow agent, which would cost me an additional $500. (Worth every penny.) The R22 “buyer” — who was willing to pay $105K for the ship, sight unseen — kept ignoring my requests to contact the escrow agent. He finally stopped our correspondence and I knew a scam had been attempted.

Someone else I knew fell for a similar scam when selling an RV and lost $2,000.

The Sinker

I knew this was a scam. How many people tell you to charge their credit card for a trip when all you asked for was a deposit? We hadn’t booked anything, I hadn’t given him any total prices, I hadn’t even asked for a deposit. But he was telling me to charge his credit card for $8,000.

But I had to play it cool, just on the off chance that it wasn’t a scam. So I replied:

I didn’t mention anything about prepayment. All I need is a deposit. And I don’t take deposits until I have reservations booked. You did not make any reservations.

I don’t charge credit cards for more than the amount of my services. And I don’t pay “agents” from money collected by check or credit card. That’s a popular internet con that I’ve seen in the past. (I didn’t fall for it then, either.)

If you want to book a flight, let me know the details so I can draw up a contract. I will fax it to you for your signature and credit card information for the deposit. You can then mail or fax it back to me with the address I provide on the contract form.

If you have any other questions, please let me know.

And, as you can imagine, I never heard from this character again.

Don’t Be Conned

If someone contacts you via e-mail to offer you something that’s too good to be true, it just isn’t true.

And for heaven’s sake, don’t sell any large ticket item to someone you haven’t met personally without using an escrow agent.

Days in My Life, Flying e-mail, Flying, fraud